question

DanielCP-7464 avatar image
0 Votes"
DanielCP-7464 asked Sean-Liming commented

UWF with Windows Defender

Hi Everyone,

I have been using Windows Embedded (now IoT) since XP embedded for systems manufactured by my company. We are currently using Windows IoT Enterprise 2019 with UWF enabled. I would like to enable Windows Defender on the systems, but it writes into the "ProgramData\Microsoft\Windows Defender" folder every time it updates or runs a scan. I have this folder Excluded from the overlay, but since the overlay still grows with excluded files the overlay completely fills up after about a week of scans.

Microsoft's recommendation is to use junction points instead of exclusions, however Windows Defender protects this folder and does not allow it to be moved. I have also looked to see if the defender folder can be changed in a registry key, but I was not successful.

Has anyone else dealt with and resolved this issue?

Thank you.

windows-10-generalwindows-10-securitywindows-10-setupwindows-iot-10core
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sean-Liming avatar image
0 Votes"
Sean-Liming answered Sean-Liming commented

When OS and defender updates are performed, do you disable UWF first?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

When OS updates are performed, UWF is disabled. When defender updates are performed UWF is enabled. Defender updates seem to happen nearly every day so disabling UWF is not practical. I have followed the Microsoft recommendation for excluding the updates from UWF protection, and it does work as expected with the exception of the overlay growing anyway.

P.S. I love your books and have read all of them since XP Embedded.

0 Votes 0 ·

One problem is that all writes regardless of write-through or no-write-through are written to the overlay. If the system is not rebooted, the UWF overlay will fill up. I don't know your system, but maybe performing a reboot once in a while might help. The UWF API can provide information on overlay size. A program could be written to detect when the overlay is getting full and trigger a message or just reboot.

The other problem is controlling Windows update. I recommend that Windows Update be turned off, and you control the updates that get put on the system. Most of my clients will put a tested update package (included windows defender update) out twice a year, and one sooner if a critical update is needed to get out. Controlling updates allow you to test all the updates so they don't break anything.

Thanks for the feedback on the books!

0 Votes 0 ·
TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

Unfortunately, there is not a solution for your demand, what I can think of is a workaround.
If you find that overlay completely fills up after about a week of scans, we can delete all files in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store, defender still appears to be working fine.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.